Operation Shady RAT: five-year hack attack hit 14 countries

The governments of the United States, Canada, and South Korea, as well as the UN, the International Olympic Committee, and 12 US defense contractors were among those hacked in a five-year hacking campaign dubbed "Operation Shady RAT" by security firm McAfee, which revealed the attacks. Many of the penetrations were long-term, with 19 intrusions lasting more than a year, and five lasting more than two. Targets were found in 14 different countries, across North America, Europe, India, and East Asia.

The infiltration was discovered when McAfee came across a command-and-control server, used by the hackers for directing the remote administration tools—"RATs," hence the name "Operation Shady RAT"—installed in the victim organizations, during the course of an invesigation of break-ins at defense contractors. The server was originally detected in 2009; McAfee began its analysis of the server in March this year. On the machine the company found extensive logs of the attacks that had been performed. Seventy-two organizations were positively identified from this information; the company warns that there were likely other victims, but there was not sufficient information to determine what they were.

The attacks themselves used spear-phishing techniques that are by now standard. Apparently legitimate e-mails with attachments are sent to organization employees, and those attachments contain exploit code that compromise the employee's system. These exploits are typically zero-day attacks. With a PC now compromised, the hackers can install RAT software on the victim PCs, to allow long-term monitoring, collection of credentials, network probing, and data exfiltration.

Many other attacks have followed the same pattern. The same technique was used to break into security company RSA, the French and Canadian Finance Ministries, and many oil and gas companies this year. It was also used in the Operation Aurora attacks against Google and other companies discovered in late 2009.

The first organization to be hacked in this campaign was a South Korean construction company, first broken into in July 2006. Break-ins continued until September 2010, when an Indian government agency was compromised. Data theft continued beyond that date, with both an American think tank and the Hong Kong office of an American news agency—reported by Vanity Fair to be the Associated Press—being pillaged until May of this year.

McAfee says that the total data stolen through these attacks amounted to petabytes. Where it has gone and who has used it remains unknown. The targets were a mix of governments, technology and defense companies, and nonprofit sports bodies and think tanks. Due to this latter category, McAfee argues that the attacks were most likely performed by a state actor as the commercial value of these sporting organizations was low. The firm didn't specify which country it believed to be responsible, but Jim Lewis of the Center for Strategic and International Studies accused China of being the perpetrator, after being briefed by McAfee. China has been accused of such attacks before; Lewis said that the presence of the International Olympic Committee and the Taiwan government on the list of victims further pointed to China.

The security company is working with US goverment agencies to try to shut down the command-and-control server. The firm has also worked with the victims to inform them of the attacks and offer assistance with their response. These offers have not always been warmly received, with some victims denying that they had been compromised, even when presented with overwhelming evidence that they had.

For all the press that Anonymous and LulzSec have received, McAfee warns that these long-term, targeted attacks are a far more serious threat both to corporations and governments. The damage—loss of intellectual property and secrets—is far greater, and the attackers, motivated not by a desire to get-rich-quick or a quest for lulz, but rather a long-term desire to steal massive amounts of data, are far more measured and tenacious. So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world's biggest firms, there are just two kinds: those that know they've been compromised, and those that still haven't realized they've been compromised.